Password Synchronization with Google Workspace (formerly G-Suite)
Prerequisite
Steps to enable API access in Google Workspace
IMPORTANT:
- Install the Password Sync Agent to synchronize native password changes and resets.
-
Before you can configure G-Suite with ADSelfService Plus for Password Synchronization, you have
to enable Domain Admin API access in G-Suite.
- Go to Google Admin console
- Logon using your Google Workspace Administrator account
- Create a new project named ADSelfService Plus
- In the APIs and Services pane on the left, click the Library link. Under the Google Enterprise APIs, locate Admin SDK and turn it on.
- In the left pane, click the Credentials link
- In the right hand side, click the Create Credentials button and select Service Account.
- Enter a name for the service account and provide the role of Project owner for the service account.
- The service account email is the one that is mentioned in the Email column. Click on the link to edit.
- Click on the Show Domain-Wide Delegation and mark the checkbox against Enable Google Workspace Domain-wide Delegation. After saving a copy, the client ID is created.
- In the Keys tab on the top of the page, select the Add Key → Create New Key. Select type as P12 and click Create. You will now receive a P12 file. Save this file to your computer and click Close.
- Grant domain-wide authority to this Service Account, using the steps mentioned below.
- Go to your Google domain's Admin console.
- In the left pane, click Security and then API controls.
- In the Domain wide delegation pane, select Manage Domain Wide Delegation.
- Click Add new.
- In the Client ID field, enter the client ID obtained from the service account creation in step 9.
- In the One or More API Scopes field, enter the list of scopes that your application should be granted access to. For example, if you need domain-wide access to Users, Groups, and Organizational Units, enter:
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.orgunit
- Click the Authorize button.
Your service account now has domain-wide access to the Google Admin SDK Directory API for all the users of your domain.
Steps to configure Google Workspace with ADSelfService Plus
- Log into ADSelfService Plus admin console with admin credentials.
- Navigate to Configuration → Self-Service → Password Sync/ Single Sign On.
- Select the G-Suite application.
Note: You can also find G-Suite application that you need from the search bar located in the left pane or the alphabet wise navigation option in the right pane.
- Enter the Application Name and Description.
- Enter the Domain name (e.g.: adselfserviceplus.com) of your Google Workspace domain.
- In the Assign Policies field, select the policies for which password sync need to be enabled.
Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy.
- Select Enable Password Sync.
- Enter the User Name (e.g.: demo@adselfserviceplus.com) of the Google Workspace admin account.
- Enter the Service Account Email (e.g.: 428499212222-9csoom2llko9292ro21rhm411214lkrh@developer.gserviceaccount.com) which was created in the previous step, from Google Workspace.
- Select the relevant P12 Key File of Google Workspace admin account.
- Click Add Application.